Downadup/ Conficker worm and CFP Defence Plus

Discussion in 'other anti-malware software' started by aigle, Jan 25, 2009.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan

    Attached Files:

    • a.jpg
      a.jpg
      File size:
      52.6 KB
      Views:
      991
    • aa.jpg
      aa.jpg
      File size:
      44.3 KB
      Views:
      985
    Last edited: Jan 25, 2009
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    OA gives these alerts.
     

    Attached Files:

    • 13.gif
      13.gif
      File size:
      23.9 KB
      Views:
      979
    • 15.jpg
      15.jpg
      File size:
      72.5 KB
      Views:
      986
  3. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    hmm that message comodo gives in the 2nd screenshot is a bit troubling, after reading the message most people would click allow, hmm i hope comodo fixes that.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    They did not agree and will not change it.
     
  5. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    Aigle, interesting and informative discussion. But is critical of Comodo, so unlikely to have any effect. At least you helped get OA to add some improvements in the latest version. Thank you for your efforts.
     
  6. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Yes, OA's alerts are much more clear, but if they don't want to listen... Pitty.
     
  7. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Not a pity to Comodo, a pity to the user. They rely on programs like CFP to protect them in an adequate way.
     
  8. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I think Comodo can protect in more than adeguate way. Not perfect of course. One flaw in a product doesn't make the whole product garbage. I don't know how Conficher is delivered, but if it was an exe , i would have blocked in anyway, despite the confusing pop ups.

    Comodo is the best value for money firewall-hips product right now, if not else and runs very light too.

    Don't be so harsh about it. Which one would you say it's better alternative for this kind of software?
     
  9. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    You are overreacting. I didn't mention the word "garbage" nor I provided the reader with such impression.
    You better can inform yourself about the ins and outs of that worm before you deliver comment on issues regarding that piece of malware. BTW, we have to consider the user without (specific) knowledge and how HE will react.
    Calling one weak spot can hardly be categorised as being "harsh". And no, I will NOT suggest any alternative, that will lead to endless discussions about product x is better than product y, aso aso.
     
  10. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Sorry, my misunderstanding! I took the "Not a pity to Comodo, a pity to the user.They rely on programs like CFP to protect them in an adequate way." comment as a way of saying that Comodo is practically trash - unreliable product. My mistake, i am not a native english speaker.

    You 're right. I am not informed. I hope this doesn't though have to do something with what i said about Comodo not being bad.

    As i said, i misintrepreted your comment as a too harsh attack on Comodo. Your remark, appeared to me, not concetrated on a weak spot, but rather bashing the entire product. My mistake. Ok, i am not going to force you to say which is better, don't worry. I was just curious to see the opinion of an expert! Recently i read the opinion of another expert and i wanted to see if it coincides with yours.
     
  11. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    Just noting that Comodo has a long history of being intransigent about changes they didn't invent. Logging, SPI, the "ask" function, proxy issues, network management, Threatcast, AV features, standalone configurations, ... and many GUI aspects come to mind as issues that have led to long threads that have gone nowhere. Or look at their wish list, aka "black hole". But the long term Comodo users are certainly able to adapt to and use the Comodo features successfully.
     
    Last edited: Jan 25, 2009
  12. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    No prob. :)
     
  13. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    aigle, even as a non-experienced user of HIPS software I can clearly see how this is wrong. You didn't talk about the AV not doing its job (if I remember correctly...), still that's what Melih keeps talking about. The AV! It's off-topic! :blink: On your side about this improper alert - what that discussion was actually about and proper criticism IMO.
     
    Last edited: Jan 25, 2009
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi aigle,

    Nice tests! And very interesting reactions over at the Comodo forum.

    I certainly hope not!

    Here you have an instance of connecting a USB device to your computer and some automatic action occurs.

    Surely anyone with a HIPS program would be knowledgeable enough to question why something not normal is occurring, then Deny that action, and finally look at the contents of the device to see what was going on. Hopefully you would question why there is an AutoRun.inf file there.

    More basic than that: surely anyone with a HIPS program would be knowledgeable enough about the dangers of AutoRun that procedures would be in place so that the exploit wouldn't run anyway.

    It seems to me that people are asking a software product to do a task here that should be taken care of by common sense.

    ----
    rich
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well,

    I agree with Firzen and Aigle, the message of Comodo is blurred. Off course you have got a point that when after adding an external source (being USB or Internet) every pop-up is suspicious.

    It made me change to Online Armor (also in Dutch :thumb: available) after getting GeSWall to work with internet control AND getting chrome to work with GeSWall while virtualising the regsitry and allowing only Chrome access to two directories TEMP and Downloads (so I could disable FW in OA :blink: )
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No Rmus, user can allow this alert. Being a user of HIPS I can tell u that memoy access alerts between two legit applications are so common that i will never think to block any of it( unless one of the aplications is unknown or suspicious). Infact I guess that many users might end up having a permanant allow rule about this action.

    Also with its default rules, CFP doesn,t give any info about autorun.inf file present there or being created.
     
    Last edited: Jan 25, 2009
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Sorry I did not understand you fully.
    I am not interested in AV as I don,t use it( or any other one). Their AV is for sure immature, all of us know, no matter what they claim. Future---? only time will tell.

    BTW the AV caught this specific worm. :thumb:
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for your replies. Atleast I am relax that I am not alone about this assessment. On Comodo forums, I felt different. :D
     
  19. Swordfish_

    Swordfish_ Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    63
    Could somebody PM me a link to the actual test, so that I could run in on my machine with the newest CIS beta? I am especially interested if they did anything about that autorun.inf present on a removable device.

    And yes, interprocess memory access is so common, that 95% of HIPS user wouln't hesitate much before clicking "allow".

    Thank you in advance.

    Best regards :)

    ps. CIS is still, in my humble opinion, a very good product.
     
    Last edited: Jan 25, 2009
  20. Pit Frog

    Pit Frog Guest

    Joined:
    Dec 6, 2008
    Posts:
    0
    C'mon people,

    Comodo users have been protected out of the box from this worm since day 0.

    You shouldn't get to the second alert if you read the first one and deal
    with it as advised.

    And even if you do mess up, the AV picks it up.

    Why should Comodo change things for people who refuse to understand how things work.
    It is obvious here and on other forums that it bothers people, that there is a
    free software that offers such complete and simple protection.

    My guess in many cases is that there is no $ in admitting that the free
    app in question is as good or better than their paid one.
    And in other cases what would you have to do, but get on with your lives
    if your security was set.

    Peace out.
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I can understand this, which is why I think HIPS is not very practical for the user who is not somewhat technically literate.

    It seems to me that for the experienced users of HIPS, if connecting a USB device immediately triggers an alert, surely they would think that something must not be right. Why wouldn't they stop everything at this point and check the USB drive? Surely they know that the only way something can trigger from a USB device is via Autorun.inf. If not, then I think they need to re-evaluate their basic knowledge of computer operations.

    ----
    rich
     
  22. 3xist

    3xist Guest

    Hi Guys.

    This worm can be simply stopped in it's tracks with "COMODO - Proactive Security" Configuration in CIS, As Egemen said, The lead CIS Developer.

    Comodo would NOT leave you vulnerable knowingly anyway, Even with the default CIS configuration, And also the AV picks it up.

    Let's say you only run Avira and the AV didn't detect it (Which it does)... You're dead. Atleast CIS does detect this worm, Alerts the user with D+, etc and as always for advanced users, Proactive Security & Paranoid mode can be for you, for further testing. But you are protected with the default configuration because of the likes of the AV along with it (And if a user didn't install the AV on installation, They have 3 choices to make sure they are protected with there needs - From Basic Firewall - To Max Defense+ which some users may choose if they do not have an AV or something). Remember ThreatCast is coming up to solve alot of users unsure about certain Alerts, So anyone get use CIS age 7-100.

    Cheers,
    Josh
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I agree with you.

    Actually Downadup/ Conficker worm is just an example that runs from a USB drive and has the potential/ possibility to bypass a HIPS with a single wrong click by user.

    We don,t know about future, we might see some driveby attacks via browser, some dll loading etc that will work in a similar way and might be even more tricky ot deceive the user.

    For me HIPS are like an advanced anti-execitable with behav blocker componnets and they are meant to deal zero day malware techniques so I expect them to mitigate the damage even if the malware is somehow allowed to un by user. This was the basis for all these tests and my thread at Comodo forums.
     
  24. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    LOL. Well I confess to having $25 invested in my two machines worth of security suites and hope Tall Emu doesn't run off with it. But I think the AV still runs before the HIPS on the incoming traffic, so no recovery there. AV keeps things from getting in, HIPS keeps things from getting out/executing. And have you missed that many of the posters in this thread are Comodo users who speak well of CIS and are dismayed at the tone and finality of the Aigle thread responses there? Including Aigle. And perhaps they might be surprised that someone from the Comodo board would bother to register and troll here with a new name, instead of the one they use there. Or are you banned here under your other name? But interesting discussion anyway. :)

    And we shall see with Threatcast. There is certainly a lot of skepticism, enough to have Melih try to quiet it with a "Why Threatcast will work" thread. And I had a good laugh over the "developing mathematical formulas" explanation for QA. I am a mathematician by training ( have the degrees and experience ) and it is a bit more complicated than that. BTW, you seem to have a lot of time to devote to Comodo again. Is this the holiday season for the Australian school system? Keep up the good work; Ed.
     
  25. 3xist

    3xist Guest

    It's like this. From a Protection point of view, Prevention should obviously be your first line of defense to to be 99% protected against ANY malware. Detection then comes in 2nd, And cure is yet to be integrated into this.

    It is true, If the AV has a signature for a malware, or the heuristics in the next version detects actual malware behavior, Then no Defense+ will not alert you... There will be no point to receive an AV Alert then a Defense+ Alert. So here, malware vs malware usability is the same! And Detection still can be second to stop malware, Because again AV's can detect %age of malware So, for example... The AV in CIS detects 40% of malware, Prevention prevents the rest... So as confusing this may sound (I know I am confusing my self too) Prevention is still first in stopping malware because the AV is limited in detection.

    1) The AV in CIS Detection helps give Defense+ more usability.
    2) Everyone needs a layered security architecture.
    3) CIS is the only one to have PREVENTION as first line of defense.

    Hope this clarifies.

    Cheers,
    Josh
     
Thread Status:
Not open for further replies.